CyberWire Daily - IoT 2017 – Securing the Things: A CyberWire Special Edition [Special Edition]
Episode Date: June 29, 2017The IoT, or Internet of Things, broadly defined is the collection of physical objects with IP addresses, connected to the internet. From consumer devices like security cameras, DVRs, and smart thermos...tats to industrial control systems and autonomous cars, the IoT offers potential for both opportunity and vulnerability. In the first half of this CyberWire Special Edition, we speak with IoT experts Katie Curtin, director of IoT cyber security product management for AT&T, and Chris Poulin, Principal at Booz Allen Hamilton, where he leads internet of things security strategy for their strategic innovation group, as well as their industrial control group. They provide their take on the current state of the internet of things for consumers, enterprise, industrial control and even self-driving cars. In the second part of our program, we examine third party risk. Ponemon Institute recently released an independent research report titled, “The Internet of Things - a New Era of Third Party Risk.” Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, and he’s going to take us through some of the report’s findings, but first we’ll hear from Gary Roboff, a senior advisor at Shared Assessments and their Santa Fey group, who were the sponsors of the report. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
The IoT, or Internet of Things, broadly defined is the collection of physical objects with IP addresses connected to the Internet.
From consumer devices like security cameras, DVRs, and smart thermostats to industrial control systems and autonomous cars,
the IoT offers potential for opportunity and vulnerability.
In the first half of this CyberWire special edition, we speak with IoT experts for their
take on the current state of the Internet of Things for consumers, enterprise, industrial
control, and even self-driving cars.
Later in the program, we examine third-party risk with some sobering statistics from a recent
IoT industry survey. Stay with us.
We're certainly living in a new world, in a new connected world, that is.
Katie Curtin is Director of IoT cybersecurity product management for AT&T.
With self-driving cars quickly emerging or smart manufacturing environments really ran by robots,
or even smart city environments where all the data and diagnostics is collected through connected energy grids or streetlights or water supply networks,
through connected energy grids or streetlights or water supply networks, we're really living in a new type of world where connectivity is paramount.
It's driving new types of devices now being connected to the Internet
and creating a lot of value for the consumers of those devices.
However, when we talk about security and these newly connected devices now back on the grid,
becoming really critical components of how
the business and the public systems are now using these devices have now become almost like
infrastructure. So the need to secure these devices and secure these environments, folks cannot afford
a compromised scenario. So with IoT security, definitely growing in more concern. And as we
see more headlined examples where devices can be leveraged for
malicious reasons, certainly security is top of mind now and more so brought into those
conversations when we start addressing the value of IoT. There's two parts to that. Number one is
where are we from the actual functional perspective, right? So why are people making
and adopting IoT devices? Chris Poulin is a principal at Booz Allen Hamilton, leading the
Internet of Things
security strategy for their strategic innovation group, as well as their industrial control group.
We're still sort of on the beginning stages of that, I think. We're transitioning away from
people just coming up with random ideas and putting them into products and actually starting
to think about what the value is. That's good. The problem is that we're still finding our way.
We're still sort of at the beginning of figuring out how to make things
and how to instrument them and how to make them intercommunicate.
And as always, though, the second component is security,
which is, when I say as always, I mean it's an afterthought.
So I know that there are lots of IoT makers who are starting to think about security.
And a lot of them, by the way, think about security early on in the process, but they don't bother to flesh it out because it's
slow. It slows down progress. It slows down development of the product in the first place.
Security is often at odds with functionality. So the perfectly secure product does nothing,
right? And the perfectly functional product has no security. So there's always this tension
between those two things. And so it's usually put off until after the product has been proven and produced
and there's a market for it. So one of the big problems in this space is that a lot of these
devices that are now being connected to the internet were never built to be connected to
the internet. They're legacy devices, PLCs, HMIs that serve a great purpose and are very robust devices and perform
robust operational functions. But now that they're being connected to the internet, it brings a
boatload of new security concerns and questions about how to secure these devices. One of the
big key learnings that we've learned in talking with our customers is that, you know, while
manufacturing energy and similar industrial verticals are adopting IoT for the obvious reasons and value that it provides,
the ability to secure these environments and these industrial control systems,
you can't quite treat them the same as you do with your IT security strategy.
Traditional IT security measures do not necessarily translate to the operational side or operational technology.
I wouldn't say that they're necessarily
lagging behind. I think instead we need to build out a stronger strategy to specifically address
those OT-specific needs and adopt strategy to specifically start securing these environments
and addressing the unique nuances that it brings. On the consumer side of the IoT, we hear of devices like security
cameras or DVRs being herded into botnets and being used for things like distributed denial
of service attacks while still maintaining their original functionality. There's little incentive
for either the consumer or the manufacturer to update the installed device. I think the Mirai
botnet and WannaCry is the most recent example. They've proven that the insecurities at the consumer level can actually affect enterprises. And in fact,
with Mirai, it can affect the internet infrastructure, you know, by going after
some infrastructure provider. What that means is that you don't have any incentive on the consumer
side. So you have to put regulation in place. And the regulation is going to be difficult to
impose on the consumers themselves. So it actually, by necessity, is going to have to be imposed on the manufacturers.
And in the case of Mirai, the way to deal with that is to actually go back to the consumers,
excuse me, the makers and say, if you put hard-coded passwords, accounts and passwords
in your product, then we're going to penalize you. And you have to conform to certain best practices, such as in order for this device to be installed
and usable at a consumer's site, they have to set a password and it has to conform to
certain strength requirements.
And it has to be updatable.
Now that we are seeing more top headlines around various different cyber
attacks, I do think that the general consumer space is getting a bit more aware. Granted,
we still have a lot more work to do in that space. And I think we also need to kind of dumb
down the language around cybersecurity so it's not deemed to be such a more complex topic and
make it more consumer friendly. But really, it's consumer
behavior will drive the types of devices or the types of products that OEM should be building.
And I think when we talk about kind of liability and in the event of a breach,
the various different pieces of the ecosystem, hopefully we'll see that changing where,
you know, manufacturers could be taking on more ownership or there will be standards or, you know, guidelines that certain individuals or companies would have to abide by.
What do you think of this notion of there needing to be sort of an equivalent of underwriters' laboratory for IoT?
Definitely, I think, top of mind, and I've been hearing it in our circles quite frequently recently.
I'd say it's a best
practice when we're talking about IoT or really broader to your cybersecurity posture to have a
third party, an unbiased third party, an outsider to come and evaluate your environment and
essentially provide a risk assessment or recommendation on how best to increase or
improve your security. Now we're talking about IoT especially since that's such a nascent and new area
where a lot of customers are grappling
with how to secure their IoT infrastructure
or IoT networks
and don't quite have a strategy in place.
Adopting a UL type of program
where you have outside consultants
to assess where you are in that risk assessment
based on these newly connected devices into
your environment, certainly a best practice and would recommend. Totally in favor. However,
it's an interesting conundrum, right? The UL is really good at dealing with hardware sides of
things. So let's just take the toaster or refrigerator, which seem to be ubiquitous
consumer-based IoT devices. When toaster from the UL, if it catches fire in normal operation,
then the manufacturer can be held liable for that.
And DUL sets the guidelines and does the testing for those things.
But then on the other hand, right, so basically the liability falls back on the maker is what I'm saying.
On the other hand, when you look at software nowadays, the end-user license agreement pretty much puts all the liability on the consumer.
license agreement pretty much puts all the liability on the consumer. So when you start connecting toasters from a UL perspective and then you have software, you basically are combining two
different liability models and who actually ends up being liable if the toaster catches fire because
of a software flaw. And then looking at it from a sort of an orthogonal perspective, what if,
because of the right to repair, a consumer decides that they're going to soup up
their toaster for whatever reason? Now they modify the firmware and the toaster catches on fire.
Who's liable at that point? I agree that we should have some sort of UL type of certification,
but I don't know how we're going to do that with software. I think there are ways to do it,
but I also know that having worked in the software industry for over 30 years that
we still don't write secure code. And there's no definitive way to say something that something
has a quantitative measure of security. So we've got to figure out how we're going to
quantify what we consider to be code level security, figure out the liability
calculus. And once we do those things, if we can do those things, then we'll have a UL type of
certification for products. Another emerging and rapidly evolving IoT sector is the automotive
industry, with semi-autonomous cars on the roads today and projects well underway for fully
autonomous vehicles. And many new cars these days are equipped with integrated mobile internet connections. Car manufacturers are quite concerned.
I would say that there's a pretty broad level of maturity or at least commitment to solving
the cybersecurity problem.
In other words, they're all committed to doing it.
They understand.
And interestingly, I don't know how much of the history you know, but back in 2010, the
University of California, San Diego and University of Washington put out a paper that basically profiled how you could hack into
a car.
And then they produced a second paper in 2011 showing how the external threat surface allowed
you to hack into it from outside the car.
And then those same researchers, three or four years later, sort of mimicked that same
research by doing it, you know, sitting in the backseat of the car with a cable snaking
across into the dashboard. And then, you know, a year and a half later, they managed to hack the
Jeep remotely across the airwaves. And so some automotive manufacturers are actually taking it
absolutely seriously. And they've re-architected their organization to provide security at all
levels. And that's great. Some of them actually are concerned about it, but they're not spending
a lot of money and they have not yet realized that they need to have governance and guidance across the entire organization instead of just within the car design and then separately in the back end systems, which accept the data and mediate the communications to and from the car.
So I see a broad level, but they're all interested in it.
But the one thing I will say that's kind of interesting about that is right now we haven't seen a sweeping motive for a threat actor to actually attack the cars. And I personally believe that in most of the cases, aside from some extremists, which comprise probably a fairly small segment of risk. The motive is going to be largely financial and
potentially nation state. So the two use cases that I think are most likely are ransomware in
a vehicle, you know, so stopping your car from starting and demanding Bitcoin over your
entertainment system, you know, the screen in the car before you can start your car.
before you can start your car. And then the second one is a nation state potential motivation would be not to do anything harmful to the passenger. I don't think that general
cyber criminals are motivated to harm somebody. That's a ethical line that I don't think is going
to be crossed anytime soon, at least not purposefully. But nation states would want to
break in and then listen to state secrets
on government vehicles, for example, over the hands-free microphone. Those are the two of the
more likely motives that I can see in the near future. Looking toward the horizon, both Chris
Poulin and Katie Curtin are cautiously optimistic about the IoT. It's still relatively new and
rapidly evolving. Cyber is one of those things that
when you make it just an economic incentive, then you're not doing the industry a service.
And so I think to a certain extent, we need to do two things. Number one, as researchers and
people who are on the leading edge is go start working with these products. So go buy a connected
card. Don't just be the fearful
security person. Go get those things and start understanding how they work. And, you know,
if you've got a technical background, start whacking with them, you know, see if you can
plug into the OBD2 board and leverage some other people's work and see what kind of things seem
to be insecure in your vehicle. So in other words, eat your own food in a way. And then that will help to inform
you as a security person. And then you can also share that with the research community and in the
consumer product and in the enterprise product community. But number two is also start doing
something that is more of a crowdsourced way to help people. So one of the things that's sort of
interesting to me is, you know, we talked about the consumer products and how Mirai, Botnet took advantage of the fact that consumers don't know
how to protect their products. So one of the ways we might be able to do it to help out with
consumers is go find these products that are insecure. So if people have web cameras that
are insecure, they have default passwords on them. And then work with law enforcement,
because technically we don't have the ability to go and, even if I know what the password is for
somebody's webcam and I know that it's insecure, it's beyond my legal rights to actually log in
and change their password instead of an email saying, hey, I just helped you. That's not
kosher. Don't do that. So work with law enforcement to find out a way to say, look, we found that there's this systemic problem with a webcam or we found a problem with energy and utility.
There's been some generator that's exposed online.
So work and actually go out and find these things that are insecure, find the right people and notify them.
that are insecure, find the right people and notify them. It's sort of what researchers are doing now,
except that they're breaking into,
or they're reverse engineering firmware
in vehicles and things like that.
I'm not saying go do that,
because not everybody has that skillset,
but there are a lot of us out there
that can actually determine when something is exposed
when it shouldn't be.
And so take the time to actually find out
how to notify someone in
authority who has the authority to help to make that thing more secure. And that's just one
example, by the way. Find out where your own project is and then try to help other people
without demanding payment for it. I think it first starts with awareness and continuing to highlight
the risks and issues that these IoT applications and infrastructures could potentially cause.
We hear it more often than not that security is that afterthought and oftentimes adopted or considered
only when another company within the same vertical or their competitor within the same vertical got hacked.
Then they start thinking about it.
We really need to stop that type of thinking and ensure that security is built within the same vertical got hacked, then they start thinking about it. We really need to stop
that type of thinking and ensure that security is built within the design phase. And folks are
more aware as they're adopting IoT practices to ask those security questions. You know, ensure
that you're purchasing the right type of application or device from a trusted or well-known
device manufacturer. So you're asking those questions right at the forefront.
But outside of that, I think the technology needs to emerge. When we talk about IoT and
kind of the nuances that IoT brings, especially around the device itself, it's kind of the wild,
wild west. And when we talk about the various types of devices that are now in the ecosystem
and the lack of standards that we really have. So the technology needs to emerge
where we can get to a widely adopted standard when we're talking about IoT protocols or IoT
clients on the device itself. Because a lot of these devices, the IoT devices, may not be as
robust as a smartphone device where you can run robust security software. Being able to apply
the right technology and the right security controls
to those types of devices, whether it be through known standard protocols or bringing those
protections into the network, we really need to bring that technology so it is more readily
accessible for these wide, vast number of devices and device types that are now within the IoT
ecosystem. That's Katie Curtin from AT&T and Chris Poulin
from Booz Allen Hamilton. In the second part of our program, we take a look at third-party risk.
The Poneman Institute recently released an independent research report titled
The Internet of Things, A New Era of Third-Party Risk. Dr. Larry Poneman is the chairman and
founder of the Poneman Institute, and he's going to take us through some of the report's findings.
But first, we'll hear from Gary Roboff, a senior advisor at Shared Assessments and the Santa Fe Group,
who were the sponsors of the report.
Third-party risk is a term that really applies to companies who outsource specific activities to vendors or third parties.
outsource specific activities to vendors or third parties.
And when a company outsources a given activity, it actually can outsource the activity, but it can't outsource the management or the responsibility for controlling that risk.
And that's the heart of the issue.
So if, for example, I'm a company and I have a certain security hygiene standard, it's
incumbent on me to make sure that if I've outsourced that particular activity to another
entity, that that company is meeting the same level of security hygiene that would be in
place if I had been doing the activity myself.
be in place if I had been doing the activity myself. What we found is that in general,
our respondents, 553 qualified respondents to the survey, in general, identified IoT risk as something that is very significant for their organizations. That's Dr. Larry Poneman. At the
same time, they recognize the need to innovate in IoT. You know, in other words, IoT is not
necessarily a bad thing. It actually accomplishes all sorts of good things for society, and it could be very profitable
for companies.
So it wasn't about stopping the IoT train, freight train.
It was about how do you make it more secure.
So even though there was a high level of awareness about IoT as a potential risk area, organizations
were doing very little to manage that risk.
You know, one of the surprising findings is that the majority of respondents believe that IoT
was not on the radar screen of C-level executives. You know, the people who
tried the organization weren't necessarily understanding or seeing IoT risk is something that could be potentially very
serious. When we asked whether the board of directors requires assurances that IoT risk
among third parties is even being assessed, only 25% of the respondents said, yes, my board wants
those assurances. That's a very important finding. Yeah, I mean, I would say that's a bit of a sobering finding.
I mean, what do you think is behind this disconnect between what I think many people,
certainly on the IT side, are recognizing as an important risk and the boardroom maybe not being up to speed on realizing it?
What we found not only in this study, but, you know, other Poneman studies,
on realizing it? What we found not only in this study, but other Poneman studies,
is boards of directors and C-level executives are being held responsible by regulators and the public at large for ensuring that information or IT infrastructure is maintained at a high level
of security. In reality, a lot of boards and C-level executives do not see security as a strategic issue.
They see it as tactical, and therefore they push responsibility down in the organization.
And so what we see is a schism where you have security experts and IT operations folks and all sorts of good people fighting fires and dealing with problems, but the issues are not necessarily
elevated to the C-level or to members of the board. Occasionally, when there's a disaster,
I'm sure, for example, the Target board of directors, they were informed, but it was
probably after the fact. So these are long-lasting problems, and it is incumbent on organizations to build a culture for security so that information about security risks, security expertise, which is being increasingly demanded,
at least by regulators in the financial services industry. You've seen a number of large boards
actually go hire individuals to serve on the board, usually on risk committees
that have a degree of dedicated expertise in emerging risk issues.
That's a very important trend.
A lot of that is a function of what the tone at the top is like at the board level, how
good a job the board has done in structuring a risk management regime that enables two-way
communication. So not only does the board
want to be setting the tone for the types of expectations that it has about compliance and
ethical behavior and really conveying the risk appetite that any board will develop over time,
that certainly needs to be diffused throughout the organization.
On the other hand, all levels of the organization have to have a clear communications channel up to
the board, and the board has to listen. There has to be a structure in place to enable that
conversation to take place. And we're gradually beginning to see, I think, some progress in those
areas. So one of the questions we asked, we use a likelihood scale, you know, how likely will this
scenario occur? And we asked our respondent to kind of think two years ahead, what is the likelihood?
And we got this one result that was just amazing. The likelihood that a security incident related to unsecured IoT devices or applications could be catastrophic to the company, 94% believe that to be so.
Here's another striking result.
The loss or theft of data caused by unsecured IoT devices or applications, 78% believe that that was likely over the next two years and finally a
cyber attack caused by unsecured iot devices or applications in other words we left a hole in our
chain um our chain of trust i should say wasn't working very well and that was 76 believe that
to be likely so you know again our respondents believe that this is a problem
and it will probably get worse over the next two years, even though we're really not doing a lot
right now to create that secure infrastructure. If you believe what security people inside of
organizations say, they really recognize that there is a huge security hole. You know, you can also say that's a very
positive outcome. I think what you have to then look at are other things that have come out of
the survey. Things like, is managing third-party IoT risk a priority in your organization?
a priority in your organization? Only 30% said yes, right? And then does your organization allocate specific resources to managing IoT third-party risks? Only 27% said yes.
So you have that gap between, at the moment, the recognition and sort of you're getting a sense of the culture within organizations.
And what you hope and expect is that that gap will begin to shrink pretty quickly.
In terms of the regulatory framework, do we see, what is the influence that we're going to see from there?
In other words, you know, buildings were required to have fire escapes, and that helped a lot more people survive fires.
Do we think we're going to be in a situation where we're going to see more regulations to ensure that some of these vulnerabilities are taken care of?
My thinking is twofold.
in some sectors, such as financial services, there's already high-level guidance that actually incorporates in a broad way the Internet of Things. I'm not sure that boards have recognized
that yet, but they will, and regulators will enforce it. You can see an environment where
there are many different types of attacks that cause different sectors.
We've talked about the medical sector.
We've talked about the automobile industry.
Anything that is connected where you have the ability to cause a headline
that involves serious consequences to a large number of individuals, or even in some cases,
a small number of individuals, is likely to involve some type of standardized approach to
solve the problem. In some places, that's definitely going to be a regulatory intervention. It's really essential to include third-party IoT risk
in all levels of governance, right? So we see that that is missing as a priority at the board level.
We see that resources are not being allocated properly to address IoT risks today. So number one recommendation is
there has to be recognition of the problem that's got to be incorporated into enterprise risk
management systems and processes that exist already. The board has to understand fully
what the consequences of IoT attacks might be for their firm.
Recommendation number two is that asset management processes and inventory systems really must include IoT devices.
And more than just a simple inventory, it's essential that firms understand the security characteristics of every
IoT device that's both within their four walls and ideally within the four walls of their vendors
if those vendors support critical activities that can cause serious consequences for the firm that
has done the outsourcing. And when devices are found to have inadequate security
controls, they need to be replaced and they should be replaced quickly. You want to make
sure that your third-party assessment techniques and the processes around those techniques
are really adequate to ensure the presence and effectiveness of controls around IoT devices. Very basic.
So IoT today, it's about technology that allows us to do all sorts of really great things.
There will continue to be innovation in the IoT ecosystem. But the idea is that there's no reason
why we don't build security as part of the innovation process. In other words, it's not an either-or, but it's both.
There's no reason why we can't start to see organizations in the early phase,
during the engineering phase of the product development lifecycle,
starting to think about how to secure those devices.
I think regulations will play an important role,
but I think it's going to be incumbent upon organizations,
even from a profitability point of view, to make sure that they're starting to build
security into these devices at a very early phase in the development lifecycle. We're starting to
see that in the medical device area, but we don't see that in other IoT devices like your
refrigerator or microwave or television. Or your car, really.
Or your car, yeah, exactly. Yeah, Gary, I'm curious,
you know, when it comes to quantifying the risk from IoT devices, you know, again, using the
analogy of fire prevention, you know, I can, when I'm thinking about fire for the building that I
own, I can install sprinklers and I can also buy insurance. And those are two different approaches to dealing with
the possibility of having a fire. In something that's rapidly evolving the way it is and also
is as new as it is, how do you go about helping organizations determine how best to invest their
money in that spectrum of possible ways to deal with these sorts of risks?
You know, first of all, it's very important to collaborate. You want to be able to collaborate
with peers, with associations. You want to socialize approaches in ways that will give
you insights that you might not necessarily see within your own four walls. I can't stress how important it is to collaborate with industry experts, with associations,
even with regulators.
That can be a very important way to even begin to think about how you address some of the
concerns.
There are concerns that come from outside and about which you might
have little ability to stop. An example of that is a distributed denial of service attack.
You're going to have no effective say about whether an attempt of a denial of service attack
happens on your company, but you will have something to say about how effective
it can be. We've already seen distributed denial of service attacks that come from IoT devices.
Firms ought to be taking steps to prevent the consequences of those attacks from having a material impact on their ongoing operations.
There are steps that you can take as a corporation or as any organization to help prepare yourself,
both from the perspective of what happens within your own four walls and what happens with the vendors that you use to help you
complete processes that are essential. We've talked about some of those. It's about inventory control.
It's about making sure that you have effective controls over all of your IoT devices. That's sort of IoT risk management 101. And to the extent that you can
follow through with even some very basic steps, you have the ability to at least partially
mitigate the consequences of IoT issues in your own environment?
We think that this research is important because it starts to establish a risk management
perspective, the need to think broadly about how IoT devices in different forms will impact
the organization.
And I think this shows that we have a lot of work to do to improve the
state of security and security posture, you know, with respect to IoT. But it's a starting point.
And as Gary mentioned, there's also some lessons that basic steps that organizations can take
immediately that will not drive costs, up costs too much anyway, like policies and procedures
and training and creating awareness, creating a governance
process and the culture for security, I think will go a long way to reducing some of these
more salient IoT risks that we discussed.
And that's our CyberWire special edition.
Our thanks to Dr. Larry Poneman, Gary Roboff, Katie Curtin, and Chris Poulin for joining
us.
If you enjoyed this program, we hope you'll share it with your friends and colleagues, and will subscribe to our podcast and leave a review on iTunes. Thank you. Editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.